OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: FreeBSD Security Advisory: FreeBSD-SA-00:21.ssh [REVISED]
From: FreeBSD Security Advisories (security-advisoriesfreebsd.org)
Date: Wed Jun 07 2000 - 19:17:16 CDT


-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:21 Security Advisory
                                                                FreeBSD, Inc.

Topic: ssh port listens on extra network port [REVISED]

Category: ports
Module: ssh
Announced: 2000-06-07
Credits: Jan Koum <jkbbest.com>
Affects: Ports collection.
Corrected: 2000-04-21
FreeBSD only: Yes

I. Background

SSH is an implementation of the Secure Shell protocol for providing
encrypted and authenticated communication between networked machines.

II. Problem Description

A patch added to the FreeBSD SSH port on 2000-01-14 incorrectly
configured the SSH daemon to listen on an additional network port,
722, in addition to the usual port 22. This change was made as part of
a patch to allow the SSH server to listen on multiple ports, but the
option was incorrectly enabled by default.

This may cause a violation of security policy if the additional port
is not subjected to the same access-controls (e.g. firewallling) as
the standard SSH port.

Note this is not a vulnerability associated with the SSH software
itself, and it is not likely to be a risk for the majority of
installations, since a remote user must still have valid SSH
credentials in order to access the SSH server on the alternate
port. The risk is that users may be able to access the SSH server from
IP addresses which are prohibited to connect to the standard port.

The ssh port is not installed by default, nor is it "part of FreeBSD"
as such: it is part of the FreeBSD ports collection, which contains
over 3300 third-party applications in a ready-to-install format. The
ports collection shipped with FreeBSD 4.0 contains this problem since
it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

FreeBSD 4.0 ships with OpenSSH, a free implementation of the SSH
protocol, included within the base system. OpenSSH does not suffer
from this misconfiguration.

III. Impact

Remote users with valid SSH credentials may access the ssh server on a
non-standard port, potentially bypassing IP address access controls on
the standard SSH port.

If you have not chosen to install the ssh port/package, or installed
it prior to 2000-01-14 or after 2000-04-21, then your system is not
vulnerable to this problem.

IV. Workaround

One of the following:

1) Comment out the line "Port 722" in /usr/local/etc/sshd_config and
restart sshd

2) Add filtering rules to your perimeter firewall, or on the local
machine (using ipfw or ipf) to limit connections to port 722.

3) Deinstall the ssh port/package, if you you have installed it.

V. Solution

One of the following:

1) Upgrade your entire ports collection and rebuild the ssh port.

2) download a new port skeleton for the ssh port from:

http://www.freebsd.org/ports/

and use it to rebuild the port. Note that packages are not provided
for the ssh port.

3) Use the portcheckout utility to automate option (2) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz

VI. Revision History

v1.0 2000-06-07 Initial release
v1.1 2000-06-07 Corrected typo in name of sshd config file

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOT7lF1UuHi5z0oilAQHLaQP+LyCyEfrzDh63awRl8swXzHLpYib1upd+
nUbctw+HOc7GfWGCUFfzhTUWvuwjqx43reE1XSX5ETXm4nVKwMDCum35FomlrUB+
3LQeXHgsogeTmGzNoWqaJBhvC7ffMBWZrW4JFokasyWbOgJhhWiklBRVojkale0Y
e+CNOgK3f3U=
=no4A
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message